366 Appendix ■ Answers
70. C. An access control matrix is a table that lists objects, subjects, and their privileges.
Access control lists focus on objects and which subjects can access them. Capability tables
list subjects and what objects they can access. Subject/object rights management systems
are not based on an access control model.- C. Self-service password reset tools typically have a significant impact on the number of
password reset contacts that a help desk has. Two-factor and biometric authentication
both add additional complexity and may actually increase the number of contacts.
Passphrases can be easier to remember than traditional complex passwords and may
decrease calls, but they don’t have the same impact that a self-service system does. - C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode
over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be
very difficult to both implement and maintain in a large environment, and the built-in
encryption in RADIUS only protects passwords. - B. OAuth provides the ability to access resources from another service and would meet
Jim’s needs. OpenID would allow him to use an account from another service with his
application, and Kerberos and LDAP are used more frequently for in-house services. - B. Since physical access to the workstations is part of the problem, setting application
time-outs and password-protected screensavers with relatively short inactivity time-outs
can help prevent unauthorized access. Using session IDs for all applications and verifying
system IP addresses would be helpful for online attacks against applications. - The security controls match with the categories as follows:
- Password: B. Technical.
- Account reviews: A. Administrative.
- Badge readers: C. Physical.
- MFA: B. Technical.
- IDP: B. Technical.
Passwords, multifactor authentication (MFA) techniques, and intrusion prevention sys-
tems (IPS) are all examples of technical controls. Account reviews are an administrative
control, while using badges to control access is a physical control.
- A. Verifying information that an individual should know about themselves using third-
party factual information (a Type 1 authentication factor) is sometimes known as dynamic
knowledge-based authentication and is a type of identity proofing. Out-of-band identity
proofing would use another means of contacting the user, like a text message or phone
call, and password verification requires a password.
7 7. C. The US government’s Common Access Card is a smart card. The US government also
issues PIV cards, or personal identity verification cards.- C. OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired
with OAuth, can provide identity verification and basic profile information. SAML is the
Security Assertion Markup Language, Shibboleth is a federated identity solution designed
to allow web-based SSO, and Higgins is an open-source project designed to provide users
with control over the release of their identity information.